[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of w3m?

Hi Raphael

See below.

On 25 November 2016 at 14:39, Raphael Hertzog <hertzog@debian.org> wrote:
> On Fri, 25 Nov 2016, Ola Lundqvist wrote:
> > I did not want to tag then no-dsa (without further analysis) due to the
> > following:
> And you expected that further analysis to be done by whoever would pick
> the package?

Yes that or myself when I got some more time this week.

> In that case, you could have left a comment along the lines
> of "security team tagged the issues as no-dsa, I'm not 100% sure we should
> do the same in wheezy, please review the CVE and feel free to tag them
> no-dsa as well if you agree with the security team's assessment".

Good point. I'll add that next time. This time I'll just make them
no-dsa as you seem to have assessed them better than I do.

> > 1) Our recent discussion regarding heap overflow (causing arbitrary code
> > execuition) not being protected by the compiler.
> It's hard to assess this one. But here we need HTML input and I expect it
> to be harder to inject birary data hosting code that we would like to
> execute.

That is a point. But are you sure it needs to be HTML? It can not be
just binary data over http? However I think binary data is quite easy
to inject. On the other hand I had not checked this in details.

> > 2) Stable security use no-dsa to mark that they are not immediately fixed
> > but could be fixed in a point release. Oldstable security do not have a
> > point release so therefore we should not use no-dsa as frequently.
> Right, but they tend to write "Minor issue, can be fixed in a point
> release" for the latter, this is not the case here.

I see. I was under the impression that this ", can be fixed in a point
relese" text is often forgotten. I'm probably wrong there.

> > However if you think they are minor enough I'll happily mark them no-dsa as
> > well.
> Please do.

Ok will do so.

// Ola

> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: